1. Technical Field
Embodiments of the present invention relate generally to communications networks and more particularly to a method, system, and machine-readable medium for securely maintaining communications network connection data.
2. Description of the Related Art
As data processing systems have become more prevalent, so have the communications networks used to transfer data generated by, and provide communications between, such data processing systems. FIG. 1 illustrates one exemplary communications networks system according to the prior art and useable in conjunction with one or more embodiments of the present invention. Communications network system 100 as depicted in FIG. 1 includes a number of communications networks (e.g., communications networks 102A and 102B) coupled together and in communication with one another. In the illustrated system, for example, communications network 102A and communications network 102B each comprise local area networks (LANs) coupled together via a wide area (WAN) or metropolitan area (MAN) network (e.g., communications network 104 as shown). Communications networks 102A and 102B may be referred to interchangeably as “segments” within the present description.
Communications network 102A of communications network system 100 includes a number of network elements or “nodes” coupled together via a communications medium 106A. A network element or “node” may include any of a number of logical or physical devices coupled to a communications network such as server 108A or desktop computer system 110A, coupled directly to communications medium 106A, or alternatively such a device (e.g., personal digital assistant 112, tablet computer system 114, or notebook computer system 116) coupled to communications medium 106A via a wireless connection (e.g., wireless access point 118) as shown. A network element may also comprise logical or physical elements or devices provided at other functional or structural levels (e.g., a port, adapter, hub, router, gateway, bridge, application, protocol, protocol layer, or the like). While the previously described network elements all act primarily as terminal network elements (e.g., a “source” or a “sink” for data communications), communications network 102A additionally includes a forwarding communication element (e.g., router 120A) coupled to, and routing data communication between, communications network 102A, communications network 104, and ultimately communications network 102B.
Communications network 102B is similarly coupled to and in communication with communications networks 104 and 102A via a corresponding forwarding communication element (e.g., router 120B) and includes a communications medium 106B and one or more terminal network elements or “nodes” (e.g., server 108B and desktop computer system 110B). Communication between a terminal network element of communications network 102B (e.g., server 108B) and a terminal network element of communications network 102A (e.g., desktop computer system 110A) may be conducted via a path including, for example, communications medium 106B, router 120B, communications network 104, router 120A, and communications medium 106A.
In a conventional communications network system such as is illustrated in FIG. 1, data communications are conducted by transmitting data in a “packet” format. A packet is a unit of data which is routed between an origin or “source” and a destination terminal network element on a packet-switched communications network. In general, a packet includes metadata (e.g., a header) and data (sometimes referred to as a payload or payload data) in combination. The metadata of a packet indicates how the packet's data is to be transferred or routed from source to destination. Frequently, a header includes metadata identifying a destination communications network, network connection, or network element.
Packets may be transferred using a hierarchical communications protocol stack in which a packet may be encapsulated and/or de-encapsulated by various communications protocols during transmission through a communications network. In encapsulation, a packet (i.e., both the packet's metadata and data) formatted according to a first communications protocol is stored within or “encapsulated” as the data portion of another, larger packet, formatted according to a second (e.g., hierarchically lower level) communications protocol. In de-encapsulation, an inverse operation is performed in which data of a packet having a first communications protocol format is separated into metadata and data of a packet having a second (e.g., hierarchically higher level) communications protocol format. The use of such hierarchical communications protocol stacks provides the ability to abstract a given protocol stack layer from the viewpoint of its adjacent (or other) protocol layers as well as to provide a fixed interface.
In FIG. 2, an exemplary communications network packet, formatted hierarchically utilizing a number of communications protocols, according to the prior art and useable in conjunction with one or more embodiments of the present invention is illustrated. Consequently, the data and metadata depicted in FIG. 2 actually encompasses a number of packets as will be described. As illustrated in FIG. 2, each successive communications protocol layer adds metadata by prepending a header (and/or appending a trailer) to a packet received from an adjacent communications protocol layer. For instance, at an application protocol layer, an application header 204 is prepended to user data 202 to form application data 206. At a transport protocol layer, a transport protocol header is in turn prepended to application data 206. In exemplary packet 200 of FIG. 2, transport control protocol (TCP) transport protocol layer is used, and consequently, a TCP header 208 is prepended to application data 206, forming a TCP segment which may be provided to a hierarchically adjacent (network layer) protocol such as the Internet Protocol (IP).
At the network protocol layer, an IP header 210 is prepended to the described TCP segment, thus forming an IP datagram as shown. Finally, at a link protocol layer a media header such as Ethernet header 212 is prepended to the packet received from the network layer to form a communication network frame. In some instances, such as when the media is Ethernet, a media trailer may also be appended to packet data as shown. In the illustrated packet of FIG. 2, an Ethernet trailer 214 is shown appended to the combined data of Ethernet Header 212 and the described IP datagram to form an Ethernet frame. A trailer may include various types of data or metadata and in one instance includes checksum type data (e.g., a cyclical redundancy check value) used to validate the previously transmitted packet data and detect any errors introduced during transmission.
Each combination of metadata and data (e.g., Ethernet frame, IP datagram, TCP segment, or the like) therefore comprises a packet which may be encapsulated or de-encapsulated or “interpreted” by an adjacent protocol layer. In order to assess or analyze a communications network or component portion thereof (e.g., to diagnose a network problem or error, to improve throughput, reliability, or the like) packets transmitted across a communications network may be examined. A number of packet capture and/or analysis tools, software applications, or routines are commercially available. Such packet capture, analysis, and/or display tools include, for example, the iptrace daemon within the Advanced Interactive eXecutive (AIX) operating system provided by International Business Machines of Armonk, N.Y.; the tcpdump Unix command provided by the Lawrence Berkeley National Laboratory (LBNL) of Berkeley, Calif.; and the Packetyzer™ packet analysis interface or Ethereal network protocol analyzer provided under the GNU General Public License.
While such packet capture and analysis tools provide a means for improving communications network operations, the output generated by such tools may contain sensitive information. For example, such output may include actual user data (e.g., passwords, customer information, or the like) or metadata (e.g., hardware or media access control (MAC) addresses, IP addresses, private TCP ports, or the like) which may not be generally available outside of an associated communications network or enterprise. Where packet analysis is performed by an enterprise's internal (e.g., information technology) staff, this may not present a problem. Where captured packet data is to be sent outside of an enterprise or network for analysis (e.g., to diagnose a problem associated with a communications network) conventional packet capture and/or analysis programs provide no mechanism for easily obscuring such sensitive information in a manner which may be automatically performed and/or easily negated or reversed.